The Law on the Protection of Personal Data (“LPPD”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board (“Board”) and to keep them up-to-date.

In June, the Personal Data Protection Board published Guidelines on Cookie Applications, Draft Guidelines on the Examination of Loyalty Programmes within the Scope of Personal Data Protection Legislation and Data Breach Notifications.


Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”

In June 2022, five data breach notifications were published on the website of the Personal Data Protection Authority,

MBtech Mühendislik ve Danışmanlık Ltd. Şti.

It was stated that the data controller was subjected to a ransomware attack, the start date of the breach detected on 28.05.2022 is being investigated, although the details of the affected personal data categories are still being investigated; identity, contact, location, personal, customer transaction, finance, professional experience and audio-visual records; the number of affected persons is 500 and the persons are employees, users and customers / potential customers.

Pegasus Hava Taşımacılığı A.Ş.

There is unauthorised access to the systems due to the fact that the browser listing feature of the service established for the purpose of flight planning of the flight crews of the data controller employee and ensuring the necessary coordination is open,

On 21.03.2022, the browser listing feature, which was found to be open in the system on 24.03.2022, was closed on 24.03.2022 and the security vulnerability was eliminated, the violation was later detected on 31.05.2022 through the monitoring tools of information security intelligence services, on social media accounts and some websites, texts introducing themselves were published by people who made unauthorised access on the subject, upon the posts of third parties who provided unauthorised access, they were contacted and requested to destroy the personal data accessed,

Within the categories of identity, contact and location of the personal data affected by the breach; the name, surname, telephone number, e-mail address, title, flight information of the pilot and cabin crew employees, flight locations, photographs and signature images of some of these employees, and the number of affected persons has not yet been determined.

Barçın Spor Malzemeleri Ticaret ve Sanayi A.Ş.

187. 930 data was obtained by third parties through the middleware programme used to convert the excel format file containing the personal data of the relevant person into csv format, the breach was learnt through the news on a website, the relevant groups of people affected by the breach are users, customers and potential customers and that the categories of personal data are identity (name, surname, gender), contact (telephone number, e-mail address), customer transaction (customer id) and other (date of membership to the website) information, that the customer ids in the excel spreadsheet obtained by third parties do not match the customer ids in our data controller systems, and that the number of affected persons is 187. 930.

Tofisa Textile Industry and Trade Limited Company

In the calls received by the call centre from the customers, it was informed that they received messages and calls from various law offices regarding the initiation of enforcement proceedings regarding the cargo costs that they did not receive, as a result of the checks, it was determined that the callers who called the call centre were persons shared with the data processor (Dolunay Kargo Lojistik Otomotiv İnşaat Sanayi ve Tic. Ltd Şti. ), that the data controller tried to contact the data processor but failed, that the names, surnames, telephone numbers, e-mail addresses of the data subjects were shared with the data processor, that the names, surnames and telephone numbers were used unlawfully, that the affected data subjects were customers and potential customers and that the number of people was 42,373 and that this number was the number of people who were not delivered cargo in the data processor records.

ARG Denizcilik İnşaat Otomotiv Sanayi ve Ticaret Ltd. Şti, İstek Gemi İnşa Bakım İnşaat Hırdavat Sanayi ve Ticaret Ltd. Şti, Safter Ulubay

The breach occurred by preventing access to the files on the computer and its source was stated as sabotage, it occurred on 21.06.2022 and was detected on the same day, the identity, contact and personal information of the employees of the data controller were affected by the breach, and the estimated number of people affected by the breach for each data controller is 2000.


16 June – Public Announcement on “Draft Guidelines on the Review of Loyalty Programmes under the Personal Data Protection Legislation”

Today, loyalty programmes aimed at improving customer loyalty are implemented by many businesses and various personal data of the data subjects are processed by the data controllers through these programmes. In this context, the Draft Guideline prepared by the Authority has been opened for public review and opinions and evaluations are accepted within the one-month period until 16.07.2022.

Draft Guidelines on the Examination of Loyalty Programmes within the Scope of Personal Data Protection Legislation

Within the scope of the Guideline, loyalty programmes are defined as “programmes aiming to increase the sales and profitability of the implementing company while providing benefits to the customer through the implementation of all or some of the strategies such as providing points/gifts/advantages to the customer within the framework of various criteria in return for shopping by processing the personal data of the customer that will enable the customer to be specific or identifiable for the enterprise, following the shopping habits of the customer, providing personalised product/service offers by analysing the processed personal data unilaterally or within the scope of a programme partnership”.

Different types of loyalty programmes are defined in the Draft Guidelines. These are; Points Based Loyalty Programmes, Tiered Loyalty Programmes, Fee Based Loyalty Programmes / VIP Membership Programmes, Refundable Loyalty Programmes, Value Based Programmes, Partnership Programmes, Game Programmes and Mixed System Programmes.

Personal data processed within the scope of loyalty programmes can generally be classified as i. personal data actively and voluntarily provided by the customer, ii. personal data passively provided by the customer (such as processing of IP, location data if the loyalty programme is used via mobile application), iii. customer data provided from other sources (data obtained by analysing data actively provided by a customer, other user data collected passively or data from undefined datasets and making analyses based on this combined data).

It is possible to rely on the cause of lawfulness of the performance of the contract in transactions such as calculating the points earned, providing information about the points, reminding the points that will expire, for the businesses that provide the activity carried out in loyalty programmes with a loyalty contract, and it is interpreted that there is no need to obtain consent for such notifications in accordance with Article 7 of the Regulation on Commercial Communication and Commercial Electronic Messages.

As a rule, the requirement that the service should not be conditional on explicit consent will also remain valid in terms of personal data processed in the context of loyalty applications, but in the presence of certain conditions, the request by the data controller to give explicit consent to the processing of data in order to participate in the loyalty application may not be considered as binding the service to the consent condition and may be deemed to be lawful. In the event that explicit consent is not given within the scope of loyalty programmes, it is not that the product/service is not offered, but that the product/service is offered without additional benefit.

In this Draft Guideline, the notifications received regarding the sending of commercial electronic messages as a result of people telling the code sent to their phones via SMS to the attendant when they shop in the store have been responded as follows:

As a requirement of layered disclosure, the purpose of the SMS to be sent to the phone of the persons and what the consequences will be if the code transmitted with this SMS is given should be conveyed to the relevant persons in a clear and understandable manner by the persons authorised by the data controller in the stores in the first stage, and also to provide the necessary channels in the content of the SMS in order to fulfil the disclosure obligation,

Sending a verification code via SMS to the relevant persons during the payment for the purchases made in the stores, putting an end to the practices of performing different processing activities such as membership agreement, personal data processing permission, commercial electronic message approval, etc. with a single action, and obtaining explicit consent separately by offering options for the processing activities in question,

In addition, avoiding situations that may cause the explicit consent and disclosure obligation to be realised together by data controllers,

In the event that an application is made to send an SMS verification code in order to obtain explicit consent for sending commercial electronic messages, a public announcement has been published on the website of the Authority that it is important that the explicit consent to be obtained in the transaction in question covers all elements, and data controllers who implement loyalty programmes should also pay attention to these issues.


With the recent Board Decision Summary, an administrative fine of TL 800,000 was imposed for a violation arising from cookie applications. With this Decision Summary and other signals, it is concluded that digital applications and the vulnerabilities they contain are on the radar of the Board.

In this ecosystem where applications such as e-commerce and online sales are more popular than ever before, the Guideline on Cookie Practices is an expected news for all stakeholders interested in data protection legislation.

In the Guideline, the types and definitions of cookies, the rules to be taken into account, the use of cookies in scenarios that require explicit consent and scenarios that do not require explicit consent, the elements that should be included in the explicit consent obtained, and the appropriate disclosure are included with very intensive technical details.

The points that we think are important are summarised below.


Social Plugin Tracking Cookies: Many social networks offer social plug-in modules that website owners can integrate into their websites in order to provide certain services that can be considered “expressly requested” by their members. These modules can be used for additional purposes such as behavioural advertising, analytics or market research to track members/non-members with the help of third party cookies. These cookies cannot be considered “strictly necessary” to provide a functionality explicitly requested by the user. It is unlikely that there is any legal basis for social networks to collect data about non-members of their networks through social plug-ins without explicit consent.

Online Behavioural Advertising Cookies: Cookies used for behavioural advertising require explicit consent. In this case, the requirement for explicit consent naturally extends to relevant cookies used for advertising purposes, including cookies used for display frequency, financial record keeping, advertising partnership, click fraud detection, research and market analysis, product development and debugging, as it is clear that none of these purposes relate to a service or functionality within the scope of information society services expressly requested by the user, as required by Criterion B.

A cookie wall is an application that prevents a visitor from viewing the content of a website unless the visitor has consented to the use of all cookies on the website. Within the scope of the free giving of explicit consent, it may be the case that cookie walls prevent the relevant person from making a real choice when expressing his/her consent. Provided that each case is assessed on a case-by-case basis, it may be possible to offer certain fair alternatives other than a cookie wall for the relevant persons to obtain a service.

Good Practice in the Use of Cookies

While obtaining explicit consent within the scope of cookies, it is stated as an example of good practice that a cookie management panel (applications such as pop-up or band) appears as soon as the site is entered and that the “accept”, “reject” and “preferences” buttons are presented equally (in terms of colour, size, font size) on the panel in question.

It is necessary to fulfil the obligation to inform during the acquisition of personal data, and it has been determined as a correct practice to place an explanation or, if necessary, a link to the processing of personal data through cookies in the cookie management panel in question. In this context, it is important that the cookies that need to be processed with explicit consent are initially passive in the management panel.

It should also be noted that in the use of online advertising cookies, it will not be possible to obtain explicit consent by bundled method in documents such as the usage agreement or terms and conditions.